There is no such mechanism.  ... View more

Most often that message happens when the csv behind the lookup definition is missing. Check that. ... View more

Follow the Splunk docs to setup your lookup with a lookup definition and match type of CIDR for that column. https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourevents Then use the lookup as a lookup. The pattern is usually like the below to filter where in the lookup, MYSEARCH | lookup mylookup src OUTPUTNEW src as toFilter | where isnotnull(toFilter)    ... View more

EDIT (just realized someone answered this too) So consider this my thumbs up to that. Though the embedded example others provided works. It should be used sparingly. The TL/DR use a look AS a lookup. That scales even at large lookup sizes. | mysearch | lookup mylookup host OUTPUTNEW host as to_filterr | where isnull(to_filter) gives you results where it is not in the table. this has added option of using the lookup match types such as wildcard, CIDR etc etc. Calling a csv file directly in a subsearch does not. It is best to use the repeatable pattern. ... View more

You could write your own external lookup. You’ll have to read docs and be ok with python. The bigger issue is any free whois service won’t let you mass spam lookup and it will be slow.  so it is more important to decide what your search is trying to answer. Boil down to a small final result set before running whois lookups.  ... View more

Rich gave the stock answer. If you also want to make a search start with this. | rest splunk_server=local servicesNS/-/-/saved/eventtypes | search title=notable_suppression-* disabled=0 | rename eai:acl.app as app, title as object, search as command, updated as last_updated_readable | table disabled, app, object, description, last_updated_readable, command | eval _time=strptime(last_updated_readable,"%Y-%m-%dT%H:%M:%S%z") | eval isRecent=if(_time>relative_time(now(),"-1h"),true(),null()) | where isnotnull(isRecent) | rex field=command "_time\>(\=){0,1}(?P<start_time>\d+)" | eval start_time_readable=strftime(start_time,"%Y-%m-%dT%H:%M:%S.%f%z") | rex field=command "_time\<(\=){0,1}(?P<end_time>\d+)" | eval end_time_readable=strftime(end_time,"%Y-%m-%dT%H:%M:%S.%f%z") | eval end_time_large=if(end_time>relative_time(now(),"+90d"),true(),null()) | eval duration=end_time-start_time | `uptime2string(duration,duration_readable)` | append [ search eventtype=suppression_audit | fillnull value=unknown suppression, status, user | fillnull value=modified action | table _time, suppression, action, status, user | eval object="notable_suppression-".suppression] | eventstats values(user) as user, values(action) as action, values(status) as status by object | where isnull(suppression) | fillnull value=modified action | fillnull value=unknown user | rex mode=sed field=action "s/create/created/" | rex mode=sed field=action "s/edit/modified/" | `get_identity4events(user)` | fields - command    ... View more

It is usually a bad idea to aadd anything to one of the stock CIM DataModels. The reason is unlike normal Splunk configurations dadtamodels are stored as JSON files and do NOT benefit of the default/local merging. So if you edit a DM you now have a full static copy in the local folder that overrides the one in default. So if the stock ones get updated you never see it. You are then in the business of hand adding every little change. We usually recommend since you have to have a copy anyway make an actual different named copy. So you can not tamper with the stock ones and use your custom one as desired. ... View more

Splunk is a general data search tool. You would have to ingest such information and execute searches against it. You can use the Splunk API to execute searches from outside of Splunk. https://docs.splunk.com/Documentation/Splunk/9.0.2/RESTREF/RESTprolog However if you are looking for "give me recent vulns api" endpoint that is something for Vuln management consoles that go with your scanning tool. You should look there.   My personal opinion is also Splunk is a horrible place for vulnerability data. Splunk is a time series data system which does not lend itself to what a vulnerable console system does.  Yes you can hammer it in but trying to recreate such a product in Splunk is painful. ... View more

Just an FYI delete command does not delete. It only hides events from search. If you are knowledgable enough you can edit files on disk at the indexer to bring it back. Removing rights to run the command and monitoring for it's use is generally enough. ... View more

Why are you joining instead of just not using the lookup as a lookup? ... View more

The traditional easiest solution is implement encryption between domains at your email gateway device. Or implement one capable of it. Then it won’t matter what or whom sends email to them.  ... View more

with some cleanup since Splunk can't onboard their own audit logs. index=_audit info=succeeded method=Splunk user!=internal_observability | rename useragent as http_user_agent | eval signature=reason." local splunk user login", src=coalesce(clientip,"unknown"), session_id=session | iplocation prefix=src_ src ... View more

I would open a support ticket with anomali. That’s their code. Something in way they are trying to hit kvstore.  ... View more